Re: ACS replication issue on VMware ESX 3.5

stuart.nadin · ‎10-30-2009

I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?

Thanks.

Jatin Katyal · ‎10-30-2009

Hi,

I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.

The primary server must be configured as an AAA server and must have a key.

The secondary server must have the primary server configured as an AAA

server and its key for the primary server must match the primary servers own

key. The shared secret key should be same on the both the ACS's.

I am sending you one link for Setting Up Replication for Cisco Secure ACS, I

am sure this example with screen shots gives you better understanding.

Please visit the below suggested ULR:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration

_example09186a00800e518a.shtml

If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.

HTH

JK

-Plz rate helpful posts-

~Jatin

stuart.nadin · ‎10-30-2009

Thanks for the post, but I'm afraid that is not the issue. The keys and the replication setup are correct.

Jatin Katyal · ‎10-30-2009

Staurt:

Well, thats great if you've configured it correctly. However, sometimes when we copy and paste the key it copies the HTML character and that could be an issue.

So just to be on the safer side, I want you to manually type the key again for both the servers. Also, make sure that there is no self entry with 127.0.0.1 in the AAA server section.

HTH

JK

-Plz rate helpful posts-

~Jatin

stuart.nadin · ‎10-30-2009

Yes, I've just tried manually entering the key. Same result. There's no entry for 127.0.0.1 in the AAA server section. Thanks.

stuart.nadin · ‎10-30-2009

Problem solved. No further replies needed. Thanks.

nic.boran · ‎11-02-2009

Stuart,

can you please post your solution. I have lost about 1 week with a very similar problem. I have acs 4.2 installed on VMware. When I add devices with the necessary name, IP address and shared secret and then proceed to save, submit, I get an error message "shared secret must not be blank". I have created new virtual machines, added patches, completed reinstalled, but the same error....it's driving me crazy. It is a very simply task.

regards

nick

stuart.nadin · ‎11-04-2009

Hello Nick. Sorry for the slow reply I've been out of the office. I followed these instructions:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a0080742f60.shtml

The instructions tell you to create an entry on server1 for server2 and vice versa. It didn't work when I did this.

The solution was as follows. In the AAA server table on my server1, there is a default entry for server1 itself with a key of "secret_value". Change this to a key of your choice. On server2 I then added an entry for server1 using the same key.

This solved the problem and is somewhat different to the instructions on CCO.

Regards,

Stuart